[Openswan dev] Question about UDP in ESP encapsulation in Openswan

Paul Wouters paul at xelerance.com
Tue Oct 26 15:52:18 EDT 2010

On Tue, 26 Oct 2010, Kevin Wilson wrote:

> As far as I understand, when adding nat-traversal=yes to ipsec.conf
> and when  both sides are behind NAT,

If one or both sides are behind NAT.

> As far as I understand, openswan usespace pluto daemon  is opening
> sockets and sends these two types packets.


> My question is about regular traffic

> This traffic also should have UDP encapsulation for NAT-T ; who
> performs this ?

The kernel. Either the XFRM NAT-T hooks (netkey and klips on linux > 2.6.22)
or the KLIPS NAT-T patch (linux <= 2.6.22)

> is it a job done by the kernel ? who tells the kernel
> that the traffic should be UDP encapsulated for NAT-T ? or is it done
> by openswan (I believe it ain't so).

Yes, the socket is marked as UDP_ENCAP using a setsockopt.

> 1) Where in the kernel such encapsulation is done ?

old style: net/ipv4/udp.c
new style: via xfrm hook in net/ipv4/udp.c


More information about the Dev mailing list